ReversingLabs Software Supply Chain Security Report 2025

Keypoints

• Annual cybersecurity reports generally start with a message from leadership, followed by report highlights, executive summary, detailed key trends, and specific case studies or focus areas before concluding with methodology and about sections.
• The 2025 report outlines major incidents such as the XZ Utils backdoor compromise, JAVS commercial software hack delivering RustDoor malware, and multiple malicious campaigns targeting cryptocurrency infrastructure.
• Significant statistics include a 12% increase in leaked developer secrets in open-source repos, and detection of an average of 27 security flaws per major open-source package with 2 being critical per package, affecting millions of downloads.
• The report identifies a steep decline in open-source malware instances but warns of ongoing sophisticated, hands-on-keyboard attacks and typosquatting techniques targeting crypto-related software packages in npm and PyPI.
• Risks in commercial binaries are characterized by seven deadly sins: malware presence, tampering, poor file hardening, file rot, exposed secrets, known exploitable vulnerabilities, and licensing issues, with many commercial VPN clients showing critical unpatched flaws.
• State-backed attackers, notably linked to North Korea, employ social-engineering and fake developer recruitment campaigns to infiltrate development organizations and implant malicious Python packages disguised as job tests.
• The report highlights the breakdown of traditional CVE-based vulnerability management due to reduced National Vulnerability Database (NVD) support, urging new cyber risk assessment approaches.
• Recommendations stress enhancing software supply chain security tools, demanding transparency from software suppliers, and adapting defenses to shifting threat landscapes including AI/ML ecosystem vulnerabilities and nth-party risks beyond standard Software Bill of Materials (SBOM).